Cleartext Transmission of Sensitive Information (CWE-319)

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Many communication channels can be sniffed by attackers during data transmission. When sensitive data is transmitted without encryption, an attacker can intercept and read this information. Secure channels like TLS should be used to protect sensitive data in transit.

Rozpowszechnienie

Wysoka

Często wykorzystywana

Wplyw

Wysoki

5 reguł o wysokim poziomie

Zapobieganie

Udokumentowane

6 przykładów poprawek

2 Zapobieganie

Jak naprawić tę podatność

🐹 Go Zobacz wszystko Go szczegóły →

Echo Running Without TLS HIGH

Use StartTLS instead of Start to enable HTTPS encryption

+1 -1 go

  package main
  
  import "github.com/labstack/echo/v4"
  
  func main() {
      e := echo.New()
      e.POST("/api/login", loginHandler)
-     e.Start(":8080")
+     e.StartTLS(":443", "cert.pem", "key.pem")
  }

Fiber Running Without TLS HIGH

Use ListenTLS instead of Listen to enable HTTPS encryption

+1 -1 go

  package main
  
  import "github.com/gofiber/fiber/v2"
  
  func main() {
      app := fiber.New()
      app.Post("/api/login", loginHandler)
-     app.Listen(":3000")
+     app.ListenTLS(":443", "cert.pem", "key.pem")
  }

Gin Running Without TLS LOW

Use RunTLS instead of Run to enable HTTPS encryption

+1 -1 go

  package main
  
  import "github.com/gin-gonic/gin"
  
  func main() {
      r := gin.Default()
      r.POST("/api/login", loginHandler)
-     r.Run(":8080")
+     r.RunTLS(":443", "cert.pem", "key.pem")
  }

☸️ Kubernetes Zobacz wszystko Kubernetes szczegóły →

Ingress Missing TLS Configuration HIGH

Configure TLS on Ingress resources to encrypt traffic in transit

+8 -1 yaml

  apiVersion: networking.k8s.io/v1
  kind: Ingress
- spec:
+ metadata:
+   annotations:
+     cert-manager.io/cluster-issuer: letsencrypt-prod
+ spec:
+   tls:
+   - hosts:
+     - example.com
+     secretName: example-tls
    rules:
    - host: example.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: web
              port:
                number: 80

Insecure TLS Verification Disabled HIGH

Remove insecure-skip-tls-verify and use proper certificate verification with CA certificates

+1 -1 yaml

  apiVersion: v1
  clusters:
  - cluster:
      server: https://192.168.0.100:8443
-     insecure-skip-tls-verify: true
+     certificate-authority: /path/to/ca.crt
    name: my-cluster
  kind: Config

🐍 Python Zobacz wszystko Python szczegóły →

HTTP Used Instead of HTTPS HIGH

Use HTTPS for all external requests and enable SSL redirect in frameworks

+2 -2 python

  import requests
  
- API_URL = "http://api.example.com"
- response = requests.get(f"{API_URL}/data")
+ API_URL = "https://api.example.com"
+ response = requests.get(f"{API_URL}/data", verify=True, timeout=10)

3 Wykrywanie

Znajdz podatnosci w swoim kodzie

Uzyj Shoulder do skanowania kodu w poszukiwaniu wzorcow Cleartext Transmission of Sensitive Information. 6 reguly.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=319

# Or scan entire project
npx @shoulderdev/cli trust .

Reguly Wykrywania (6)

🐹 Go 3 rules

Echo Running Without TLS HIGH

Echo server running over HTTP instead of HTTPS.

Fiber Running Without TLS HIGH

Fiber server running over HTTP instead of HTTPS.

Gin Running Without TLS LOW

Gin server running over HTTP instead of HTTPS.

📄 Yaml 2 rules

Ingress Missing TLS Configuration HIGH

Detects Kubernetes Ingress resources without TLS configuration.

Insecure TLS Verification Disabled HIGH

Detects when TLS certificate verification is disabled in Kubernetes configurations.

☸️ Kubernetes 1 rules

Ingress Missing TLS Configuration HIGH

Detects Kubernetes Ingress resources without TLS configuration.

🐍 Python 1 rules

HTTP Used Instead of HTTPS HIGH

Detects use of unencrypted HTTP for sensitive operations like API calls, authentication, payment processing, or data transmission. HTTP traffic is sent in cleartext and can be intercepted. Always use HTTPS.

4 Sygnaly Ostrzegawcze

Na co zwracac uwage podczas przegladu kodu

Te wzorce wskazuja na potencjalne podatnosci Cleartext Transmission of Sensitive Information. Szukaj ich podczas przegladow kodu i audytow bezpieczenstwa.

🟠

Ingress exposes HTTP traffic without TLS encryption kubernetes-ingress-missing-tls

🟠

Kubernetes Ingress resources without TLS configuration kubernetes-ingress-missing-tls

🟠

TLS certificate verification disabled (vulnerable to MITM attacks) kubernetes-skip-tls-verify

🟠

when TLS certificate verification is disabled in Kubernetes configurations kubernetes-skip-tls-verify

🟠

use of unencrypted HTTP for sensitive operations like API calls, authentication, payment processing, python-http-not-https

🔍

Przeskanuj swój kod w poszukiwaniu Cleartext Transmission of Sensitive Information

Shoulder CLI znajduje podatne wzorce w całym Twoim kodzie.

npx shoulder trust Przeglądaj wszystkie reguły